Help Center> CodeArts Deploy> User Guide> Managing Basic Resources> Managing Host Clusters> Host Connection Mode> Security Configuration
Updated on 2024-03-04 GMT+08:00
View PDF

Security Configuration

To ensure successful host connectivity, configure the host as follows:

Configuring a Security Group

Before verifying host connectivity, configure a security group and enable some ports. Otherwise, the connectivity verification may fail. (The following uses a Linux host as an example.)

  1. Go to the console. In the upper left corner of the page, choose Service List > Compute > Elastic Cloud Server. The Elastic Cloud Server page is displayed.
  2. Click the target ECS. On the ECS details page, click the Security Groups tab. Click the security group ID. On the page that is displayed, click the Inbound Rules.

  3. Click Fast-Add Rule and set the parameters as follows:

    • For Linux hosts, enable port 22 in the inbound rule. For Windows hosts, enable ports 54, 5985, and 5986 in the inbound rule when adding the target host or proxy host. Set the remote end to 0.0.0.0/0 (open the preceding ports for all IP addresses).

      If you have high security requirements on the overall deployment process and the preceding ports cannot be opened to all IP addresses, add the following IP addresses to the security group and remove port restrictions. Otherwise, host connectivity verification cannot be performed.

      China (all regions):

      Singapore:

      114.119.185.21

      Sao Paulo:

      159.138.214.24

      Mexico:

      122.8.183.54
110.238.80.148

      The IP addresses above are open IP addresses in the official resource pool of CodeArts Deploy for communications with target hosts and proxy hosts.

    • Remove the inbound restriction on the port of the application deployed on the host (for example, port 8080 of the Tomcat application or all ports of other applications must be enabled in the inbound direction). Otherwise, the application cannot be accessed.
    • Remove the restriction on the outbound direction or at least make ports 80 and 443 accessible.

Configuring the Firewall

Check the firewall configuration of the host and configure the firewall to allow the SSH protocol port to be accessed. Otherwise, the connectivity verification fails. The following part describes how to configure the firewall for different operating systems.

Linux Firewall Configurations

Table 1 Linux firewall configurations

OS Series

Configuration Method

CentOS/EulerOS/UnionTechOS
  1. Check whether the SSH software package is installed on the local host.
    rpm -qa | grep ssh
  2. If no SSH software package is available, run the following command:
    yum install openssh-server
  3. Enable the SSH service.
    service sshd start
  4. Open the sshd configuration file.
    vi /etc/ssh/sshd_config
  5. Delete the comment tag before the listening port number.
  6. Restart the SSH service. Run the following command:
    sudo service sshd start
  7. Check whether port 22 is enabled.
    netstat -ntpl | grep 22

Debian
  1. Log in to the system as the root user and install the ufw.
    apt install ufw
  2. Enable port 22.
    ufw allow 22/tcp
  3. Check whether port 22 is enabled.
    ufw status

Ubuntu
  1. Check the IP address of the local host.
    ifconfig
  2. Check whether the 22 port is occupied.
    netstat -nltp|grep 22
  3. If no port process exists, run the following commands in sequence:
    sudo apt-get install openssh-server
sudo apt-get install ufw
sudo ufw enable
sudo ufw allow 22

Windows Firewall Configurations

This section uses Windows Server 2012 as an example.

  1. Choose Windows Firewall on the control panel of the Windows host.

  2. Click Advanced settings.

  3. Click Inbound Rules.

  4. Click New Rule.

  5. Set Rule Type to Port and click Next.

  6. Select TCP and Specific local ports, enter port 5986, and click Next.

  7. Select Allow the connection, and click Next.

  8. Select all the options for Profile and click Next.

  9. Enter a rule name and click Finish.

Configuring the IP Address Blacklist and Whitelist

You can add IP addresses to the firewall whitelist and check whether these IP addresses are blocked by the firewall for security purposes in the scenario where the official resource pool is used.

Commands related to the IP address whitelist

  • Check whether there are blocked IP addresses:
    vi /var/log/secure
  • Check whether the preceding IP addresses are blocked by the host. If yes, run the following command to remove the restriction:
    vi /etc/hosts.deny
  • Add required IP addresses to the whitelist. Example:
    vi /etc/hosts.allow 
sshd:***.***.***.***:allow        #Use the IP address to be added to the whitelist.
Parent topic: Host Connection Mode